https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431471#M123330 <P>I have a log file from which I extract the below table of test results, where each test result row describes a particular test status (PASS OR FAIL) and shows test start and end times.</P> <PRE><CODE>Action Status startTime endTime TEST_1 Success 1540031963.935 1540032192.644 TEST_2 Success 1540030901.177 1540031831.031 TEST_3 Success 1540030639.272 1540030890.771 TEST_4 Success 1540030498.098 1540030628.755 TEST_5 Success 1540030046.730 1540030487.604 TEST_6 Fail 1540028918.752 1540030040.026 </CODE></PRE> <P>For each test result or row, I would like to show a count for number of exceptions encountered during that test that is between start and end time for that test and be able to disable table as such: </P> <PRE><CODE>Action Status startTime endTime ExceptionCount TEST_1 Success 1540031963.935 1540032192.644 10 TEST_2 Success 1540030901.177 1540031831.031 20 TEST_3 Success 1540030639.272 1540030890.771 0 TEST_4 Success 1540030498.098 1540030628.755 1 TEST_5 Success 1540030046.730 1540030487.604 0 TEST_6 Fail 1540028918.752 1540030040.026 15 </CODE></PRE> <P>I use the map command to iterate over each row/test result and use the <CODE>rex</CODE> command to parse and count exceptions between earliest and latest whose values come from the row's start and end times. This is working but I don't know how to pull in the value of Action and Status field from the outer query. </P> <PRE><CODE> index=myIndex host=abc sourcetype=AbcServer source="/opt/*" "Test Result:" | rex .*"Action: "(?\w+).*", Test Result: "(?\w+).*", Start Time: "(?\d+\.\d+)", End Time: "(?\d+\.\d+) | table Action Status startTime endTime | map maxsearches=1000 search="search index=myIndex host=abc sourcetype=AbcServer earliest=$startTime$ latest=$endTime$ *Exception | rex .*\": (?[\w\.]*Exception)\" | stats count(exceptionClass) as CNT" | table Action Status CNT Action Status CNT 10 20 0 1 0 15 </CODE></PRE> <P>Any thoughts on how to get Action and Status values into final result?</P> <P>Thanks</P> Sat, 20 Oct 2018 11:27:56 GMT bobkaz 2018-10-20T11:27:56Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431471#M123330 <P>I have a log file from which I extract the below table of test results, where each test result row describes a particular test status (PASS OR FAIL) and shows test start and end times.</P> <PRE><CODE>Action Status startTime endTime TEST_1 Success 1540031963.935 1540032192.644 TEST_2 Success 1540030901.177 1540031831.031 TEST_3 Success 1540030639.272 1540030890.771 TEST_4 Success 1540030498.098 1540030628.755 TEST_5 Success 1540030046.730 1540030487.604 TEST_6 Fail 1540028918.752 1540030040.026 </CODE></PRE> <P>For each test result or row, I would like to show a count for number of exceptions encountered during that test that is between start and end time for that test and be able to disable table as such: </P> <PRE><CODE>Action Status startTime endTime ExceptionCount TEST_1 Success 1540031963.935 1540032192.644 10 TEST_2 Success 1540030901.177 1540031831.031 20 TEST_3 Success 1540030639.272 1540030890.771 0 TEST_4 Success 1540030498.098 1540030628.755 1 TEST_5 Success 1540030046.730 1540030487.604 0 TEST_6 Fail 1540028918.752 1540030040.026 15 </CODE></PRE> <P>I use the map command to iterate over each row/test result and use the <CODE>rex</CODE> command to parse and count exceptions between earliest and latest whose values come from the row's start and end times. This is working but I don't know how to pull in the value of Action and Status field from the outer query. </P> <PRE><CODE> index=myIndex host=abc sourcetype=AbcServer source="/opt/*" "Test Result:" | rex .*"Action: "(?\w+).*", Test Result: "(?\w+).*", Start Time: "(?\d+\.\d+)", End Time: "(?\d+\.\d+) | table Action Status startTime endTime | map maxsearches=1000 search="search index=myIndex host=abc sourcetype=AbcServer earliest=$startTime$ latest=$endTime$ *Exception | rex .*\": (?[\w\.]*Exception)\" | stats count(exceptionClass) as CNT" | table Action Status CNT Action Status CNT 10 20 0 1 0 15 </CODE></PRE> <P>Any thoughts on how to get Action and Status values into final result?</P> <P>Thanks</P> Sat, 20 Oct 2018 11:27:56 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431471#M123330 bobkaz 2018-10-20T11:27:56Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431472#M123331 <P>@bobkaz , you can try using Action and Status in the map command like the following and perform the stats by the two fields.</P> <PRE><CODE> | eval Action=\"$Action$\", Status=\"$Status$\" | stats count(exceptionClass) as CNT" by Action Status </CODE></PRE> <P>Following is the one SPL based on existing search ( I think some of the characters in your post do not show up as expected).</P> <PRE><CODE> index=myIndex host=abc sourcetype=AbcServer source="/opt/*" "Test Result:" | rex .*"Action: "(?\w+).*", Test Result: "(?\w+).*", Start Time: "(?\d+\.\d+)", End Time: "(?\d+\.\d+) | table Action Status startTime endTime | map maxsearches=1000 search="search index=myIndex host=abc sourcetype=AbcServer earliest=$startTime$ latest=$endTime$ *Exception | rex .*\": (?[\w\.]*Exception)\" | eval Action=\"$Action$\", Status=\"$Status$\" | stats count(exceptionClass) as CNT" by Action Status | table Action Status CNT </CODE></PRE> <P>However, do give sample events for Exceptions corresponding to a test case so that we can assist you with any other approach as map could be an expensive command for correlation your use case.</P> Sun, 21 Oct 2018 15:31:41 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431472#M123331 niketn 2018-10-21T15:31:41Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431473#M123332 <P>Hi niketnilay,</P> <P>Thanks for your suggestion, I tweaked my SPL accordingly and it now runs successfully. However, when I add it to a statistics panel in the dashboard, it doesn't run and keeps saying "waiting for input", see attached picture.</P> <P><STRONG>SPL:</STRONG></P> <PRE><CODE>index=nsplogs host=hostA sourcetype=serverLog source="/opt/*" "Test Result:" | rex .*"Action: "(?\w+).*", Test Result: "(?\w+).*", Start Time: "(?\d+\.\d+)", End Time: "(?(\d+\.\d+)).* | table Action Status startTime endTime | map maxsearches=1000 search="search index=nsplogs host=hostB sourcetype=serverLog earliest=$startTime$ latest=$endTime$ *Exception | rex .*\": (?[\w\.]*Exception)\" | eval Action=\"$Action$\", Status=\"$Status$\", startTime=\"$startTime$\", endTime=\"$endTime$\" | stats count(exceptionClass) as ExceptionCount by Action Status" | table Action Status ExceptionCount </CODE></PRE> <P>Note that values of host attribute reflect real server names and aren't parametrized or are not tokens, so I don't know what input it is waiting for.</P> <P>Attached is a picture showing dashboard source code.</P> <P>Any thoughts?</P> <P>Thanks</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5936i72A08B0AA66275AB/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5937i1C9DFFF3B2B8D272/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Mon, 22 Oct 2018 14:25:27 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431473#M123332 bobkaz 2018-10-22T14:25:27Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431474#M123333 <P>Hi niketnilay,</P> <P>I figured out the problem. I had to replace every $ with $$ inside map command for SPL to work inside dashboard panel. Below is my working SPL:</P> <P>index=nsplogs host=hostA sourcetype=serverLog source="/opt/<EM>" "Test Result:" <BR /> | rex .</EM>"Action: "(?\w+).<EM>", Test Result: "(?\w+).</EM>", Start Time: "(?\d+.\d+)", End Time: "(?(\d+.\d+)).*<BR /><BR /> | table Action Status startTime endTime <BR /> | map maxsearches=1000 search="search index=nsplogs host=hostB sourcetype=serverLog earliest=$$startTime$$ latest=$$endTime$$ <EM>Exception <BR /> | rex .</EM>\": (?[\w.]*Exception)\" | eval Action=\"$$Action$$\", Status=\"$$Status$$\", startTime=\"$$startTime$$\", endTime=\"$$endTime$$\"<BR /> | stats count(exceptionClass) as ExceptionCount by Action Status"<BR /> | table Action Status ExceptionCount</P> <P>Thanks a lot for your help, truly appreciated!</P> Wed, 24 Oct 2018 04:55:06 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431474#M123333 bobkaz 2018-10-24T04:55:06Z https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431475#M123334 <P>@bobkaz, the <CODE>$</CODE> in the map command needs to be escaped in dashboard by prefixing with another <CODE>$</CODE> sign. Refer to one of my previous answers: <A href="https://answers.splunk.com/answers/680801/why-is-the-search-using-map-wont-work-in-dashboard.html">https://answers.splunk.com/answers/680801/why-is-the-search-using-map-wont-work-in-dashboard.html</A></P> <P>Please try out and confirm! Do up vote if it helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 24 Oct 2018 05:19:02 GMT https://community.splunk.com/t5/Splunk-Search/How-do-you-pull-field-values-from-an-outer-query-to-show-in/m-p/431475#M123334 niketn 2018-10-24T05:19:02Z